Chief Product Officer, driving next-gen innovation across Sophos’ portfolio of network and end-user security, and Sophos Central groups.
The ransomware business is booming. High returns are motivating more cybercriminals to explore this lucrative economy, including testing new approaches that may yield higher or more consistent payouts.
The low-volume, high-ransom attacks that take aim at big targets and generate multimillion-dollar payouts likely aren’t going away. Until enterprises stop paying, these attacks will continue to rock headlines.
Recently, however, we’ve seen the emergence of a new ransomware as a service model (RaaS) with high-volume, low-ransom attacks, like the recent Dharma and Maze attacks. These side-hustle operations create a “fast-food franchise” approach to ransomware, where operators can sell or even freely give away various iterations of the same RaaS as prepackaged tools for less sophisticated cybercriminals.
Blended ransomware that hits thousands of targets with a single RaaS package isn’t exactly a new phenomenon. Dharma ransomware, for example, has been around for about four years; Cryptolocker, which indiscriminately hit hundreds of thousands of victims, emerged seven years ago.
MORE FOR YOU
But while these tactics and capabilities may not be new, the relationship between the monetization and the effectiveness of these attacks is a disturbing new trend. And that in turn could further fuel the franchising of ransomware.
The Exploding Availability Of Ransomware — And The Masterminds Behind It
The basic RaaS model isn’t that different from previous exploit kit models: selling easy-to-use prepackaged ransomware kits to attackers who are eager to deploy them. The difference is that RaaS creates an extra degree of distance between the creators and the attackers. The ones who created the RaaS profit from whatever commission they get from the sale of their ransomware packages to those willing to execute the attack — while not directly tying themselves to the actual attack. If they’re just creating the tools and not doing any of the actual dirty work, that likely spares them from the harshest consequences, like jail. At the same time, they profit from getting their work out into the hands of those willing to pay to use it — for ransomware creators, it’s the best of both worlds.
And it’s beneficial for both sides. For instance, some Russian-speaking hackers may have the skills to write malware but aren’t able to communicate it effectively in English, so you get phishing emails with misspellings and bad grammar that are immediate red flags to potential victims. English-speaking ransomware creators help fill that gap: They provide the English-language tools that more easily dupe victims but can be perpetrated by actors from a non-English-speaking country. And the reverse is also true: Non-English-speaking creators might enlist English-speaking translators to lend a veneer of believability to their ransomware lures.
It’s the age-old criminal enterprise model I’ve observed for the malware world: Somebody creates the product; someone else recruits the runners, who move it from A to B, and someone else specializes in how to market it.
Marketing, management and social savvy are different skill sets than hardcore hacking; bringing these together into one fold requires a lot of go-betweens, which can create more distance between those who make the ransomware and those who execute it. Not unlike an old-school mafia, the “heads” of the so-called family are insulated from consequences by having people further down the ladder do the dirty work. They may also reside in countries that won’t charge them with crimes over it.
The real kicker is that a lot of this isn’t done in the stereotypical shadowy corners of the dark web. Instead, it’s done out on the public internet, albeit often in closed forums, with ransomware creators openly advertising their RaaS packages to would-be attackers in exchange for an upfront fee or a cut of the ransom. And because many of these people likely live in places with no risk of extradition, they have no reason to hide.
What Does The Evolving Ransomware Economy Mean For You?
If there’s a silver lining to this trend, it’s in the trade-off between the quantity and quality of ransomware — the two are going in opposite directions.
Bespoke ransomware attacks are more sophisticated. If a bespoke ransomware package hits three targets in one day, the attackers utilize three separate packages of code; we don’t usually see the same bespoke malware twice, which makes that brand of ransomware harder to defend against. Often, you don’t know what you’re facing until it’s already hit you.
RaaS, on the other hand, is cookie-cutter. Simple ransomware protections provide adequate defense against these attacks. Even better: RaaS is distributed to so many affiliate users and deployed against so many targets that by the time it’s widely distributed, it’s already days old and well known. The sooner the word is out, the quicker there is awareness about it — and protection against it.
These high-volume but low-grade, spray-and-pray attacks look to reap their ransoms against thousands of targets. In my experience, the success rate is pretty low, and RaaS attackers depend on, say, a 2% success rate against tens of thousands of targets to make a profit.
That means the vast majority of organizations should not necessarily look at RaaS as the beginning of some apocalyptic trend of malware attacks on their business. As long as they’re equipping the right ransomware protection systems and keeping abreast of new updates on that front, they can remain a step ahead — which is not how it usually goes with ransomware.
Going forward, governments and policymakers should do something about ransomware. I believe strict regulations that crack down on the ransomware economy with criminal consequences, such as indictments, will be necessary for stifling the growth of this market. That’s because as time goes on, ransomware packages will only get more sophisticated. These groups already seem to be cooperating, pooling resources, sharing tooling and ramping up their investments because it’s easy money. They’re not unlike any other criminal organization in that if they’re left to their own devices, they’ll only get craftier and more difficult to stop. The only way to stop that may be for lawmakers and law enforcement to come down hard on them — sooner rather than later.